Archive for Breach Notification
HITECH compliance for business associates (BAs) has come and gone. The date for BAs to comply with the HIPAA Security Rule and the use and disclosures provision of the privacy rule was February 17. Further, breach notification enforcement begins February 22.
So where does your organization stand? Are you ready? Your BAs?
We can give you a pretty good idea after seeing the results of HCPro’s HIPAA and HITECH survey that was rolled out the past two weeks. It attracted nearly 600 respondents, including mostly HIPAA compliance officers and HIM directors.
For starters, if your organization has done something with its HIPAA compliance program in light of the HITECH, you’re in the majority: 89% said they’ve responded.
And exactly what have they done?:
- Rewrite policies and procedures: 74%
- Revise or draft new business associate agreements: 71%
- Conduct additional training: 65%
- Conduct an internal audit to evaluate your organization’s program: 36%
- Purchase resources to educate yourself on changes to the law: 28%
- Hire a consultant to evaluate your organization’s HIPAA compliance program: 6%
One respondent said they created a breach notification action response team, which seems to be a good idea when you consider the interim final rule on breach notification took effect last summer.
Those regulations require:
- Notice to patients alerting them to breaches “without unreasonable delay,” but no later than 60 days after discovery of the breach
- Notice to covered entities (CEs) by BAs when BAs discover a breach
- Notice to the secretary of HHS and prominent media outlets about breaches involving more than 500 patient records
- Notice to next of kin about breaches involving patients who are deceased
- Notices to include what happened, the details of the unsecured PHI that was breached, steps to help mitigate harm to the patient, and the CE’s response
- Annual notice to the secretary of HHS 60 days before the end of the calendar year about unsecure PHI breaches involving fewer than 500 patient records
“Breach notification” earned the No. 1 spot to our survey’s question, “Which provision of the American Recovery and Reinvestment Act of 2009 do you feel is the most challenging?”
It took top honors at 39%, and only 29% said there were completely ready to comply with those requirements; 61% said there were “almost ready” to comply. Amending business associate contracts took No. 2 in terms of the most challenging aspects of ARRA/HITECH at 18%. Finishing third with 16% was “Patients rights to accounting on EHRs,” which some told us earlier will be a logistical “nightmare.”
BA requirements under HITECH have changed drastically. Most survey respondents said they feel their BAs are ready, but the scary part is 45% said they are not confident in their BAs’ readiness.
Thinking about updating your training? An overwhelming majority (71%) of respondents said they update their training only annually. And only 31% said they are “very comfortable” that the training is effective. Most (63%) said they are “fairly comfortable.”
So what’s the parting message here, now that HITECH has essentially arrived?
Kate Borten, CISSP, CISM, president of The Marblehead Group, offers these quick tips:
- Convert more organization leaders to become privacy and security believers
- Stay focused and do not become overwhelmed by privacy/security responsibilities or discouraged by setbacks
- Develop a 2010 work plan that is both achievable and a stretch for you and your organization
John Parmigiani, president, John C. Parmigiani & Associates, LLC, in Ellicott City, MD, and one of the members of the team that created the HIPAA Security Rule, says he hopes HITECH is the wakeup call that providers and enforcers need regarding HIPAA compliance.
“Having worked both with CEs and BAs over the years in attempting to foster HIPAA compliance, I am continually amazed at the lack of understanding and completeness in their HIPAA compliance,” Parmigiani says.
Covered entities have been “emboldened by a long-standing environment of lax enforcement” and a belief that HIPAA compliance is a one-time project. It is not, he says, and perhaps government enforcement will be a harbinger for better compliance.
Through HITECH, OCR should easily be able to gain some “street cred” by quickly launching an audit initiative and “thereby sending a signal that compliance with HIPAA security and privacy is an important component of healthcare,” he says.
HHS’ “harm threshold” standard in its interim final rule on breach notification will prevent healthcare organizations from overwhelming patients with unnecessary breach notification responses, according to providers who work with privacy and security.
At the 18th annual National HIPAA Summit Friday, February 5, Judi Hofman, CAP, CHP, CHSS, privacy/information security officer for Cascade Healthcare Community at St. Charles Medical Center in Bend, OR, and Debbie Mikels, corporate manager, confidentiality for Partners Healthcare System in Boston, said the provision published August 24 in the Federal Register gives covered entities the power to prevent unnecessary notifications.
“If you flood your patients with huge concerns, you’re going to open up a floodgate of problems in your organization where you really may not have had a risk to start with,” Hofman said.
The panelists at the three-day seminar at the Wardman Park Hotel in Washington, DC, responded to a question from an attendee on the controversial harm threshold.
HHS says in the interim final rule that many commenters on its draft guidance in April suggested that HHS add a “harm threshold such that an unauthorized use or disclosure of [PHI] is considered a breach only if the use or disclosure poses some harm to the individual.”
Now, covered entities and their BAs will perform a risk assessment to determine if there is significant risk of harm to the individual whose PHI was inappropriately dispensed into the wrong hands.
According to the interim final rule, the important questions are:
- In whose hands did the PHI land?
- Can the information disclosed cause “significant risk of financial, reputational, or other harm to the individual”?
- Was mitigation possible? For example, can you obtain forensic proof that a stolen laptop computer’s data was not accessed?
Some Congressmen disagree with the standard.
Six members of the House of Representatives signed a letter on October 1 written to HHS Secretary Kathleen Sebelius that urges HHS to repeal or revise the harm standard provision in HHS’ interim final rule on breach notification.
The Congressmen, all but one of whom are Democrats, wrote they are “deeply concerned” about the harm provision because it gives covered entities and business associates (BAs) a “breadth of discretion” as they determine the level of harm to an individual whose PHI was inappropriately disclosed.
Congress explicitly rejected a harm standard when it crafted the American Recovery and Reinvestment Act of 2009 (ARRA), which includes tougher HIPAA enforcement and greater breach notification requirements.
Mikels, of Partners in Boston, said Friday her team is already prepared to conduct its harm risk assessment.
“We have to look at those harm questions,” she said.
For instance:
- Was it a release that went to a person inside your organization to another person that didn’t need to know?
- Does your organization have reason to believe that the PHI wasn’t accessed?
“What do I think about [the harm threshold]? Again, it’s a balance thing,” Mikels said. “I think it makes sense to do a risk assessment. Whoever’s the closest to the issue is the one who is best able to look at it and best able to figure out what happened.”
Without a risk assessment and determination of harm, patients would be “inundated with so many letters that the letter of the law would be meaningless,” Mikels said. “I’m kind of leaning toward I think it makes sense to do a risk analysis if we do it well and with the intent of the law. We tend to err on the side of caution and notify patients. Down the road, we wouldn’t want patients to say, ‘OK, my identity was stolen,’ and we didn’t do anything about it.”
At the last HIPAA Summit—in September—Gerry Hinkley, Esq., partner and chair of HIT practice group for Davis Wright Tremaine in San Francisco, called the harm threshold a “huge weakness.” He said if he’s a patient, he wants to be the one determining whether information that was disclosed inappropriately could cause significant harm—and not the covered entity. Some also say it allows organizations to choose at their own discretion their own breaches.
“I don’t think this is a get-out-of-jail-free card,” Hofman of Cascade Healthcare Community said Friday. “With legal, compliance and with ethics, you would hope most organizations would have a higher standard of ethics, and that we’d do our best for our patients.”
HIPAA Update to Sue McAndrew: So who pays for a breach of unsecure PHI, the business associate or the covered entity?
It looks like each, if that’s the way OCR sees it.
We asked the deputy director of OCR’s health information privacy division if a business associate could end up paying out of its own pocket for a breach.
The answer is yes.
“Business associates going forward will be directly liable for violations that occur in their possession,” McAndrew said today at the 18th Annual National HIPAA Summit. “The fines would be imposed upon the BA, and if they can’t pay, we send them to jail.”
McAndrew laughed at the line about “jail,” and said it was in jest.
She went on to say OCR would consider waiving – or decreasing — some of the penalties after an assessment of the financial state of a violating hospital. She also said that the “settlement door is always open.”
Remember the most famous settlement as of late – or infamous, if you’re CVS:
The Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) announced in February 2009 that CVS, the nation’s largest retail pharmacy chain, would pay the U.S. government $2.25 million and take corrective action in a settlement for potential privacy breaches affecting millions of patients.
The settlement ended an investigation by OCR that began with media reports that CVS used industrial trash containers to dispose of patient information outside selected stores. The containers weren’t secured and were publicly accessible, according to a February 18 HHS press release.
HIPAA Update is listening in live on the 18th National Annual HIPAA Summit.
Sue McAndrew, deputy director for Health Information Privacy for OCR, just reported these breach numbers for the month of January:
- As of January 2010, 35 reports of breaches affecting 500+ individuals reported, resulting in 712,000 notices
- Mostly ePHI that is contained in lost or stolen unencrypted media or portable device
- Also received over 300 reports of smaller breaches
- Mostly paper records sent to wrong fax number, wrong address, wrong individual
- If a business associate (BA) with a signed business associate agreement (BAA) is responsible for a privacy breach related to PHI, who would be responsible for the harm threshold risk analysis and breach notification, the CE or the BA?
- If a BAA is executed, can a CE still be held liable for civil money penalties (CMP’s) or potential criminal liability for breaches the BA is caused and/or is responsible for?
- Do the BA amendments under HITECH have to be mutually signed or can they be unilaterally sent out to BAs to be legally amended to existing BAA’s?
Anup Patel, MHA, JD, CHC
Presbyterian Intercommunity Hospital
Get blog updates in your e-mail
Subscribe to our e-zine
Click here to learn how!